HIPAA update expected to raise new tech compliance questions
Proposed changes to the HIPAA Privacy Rule, circulating since last spring’s public comment period, are expected to be finalized in 2022.
The exact nature of the changes remains unclear, but the rule’s author, the Department of Health and Human Services (HHS), intends key components to:
- strengthen individuals’ rights to access their own health information;
- improve information-sharing for care coordination and case management;
- reduce the administrative burden on covered-entity care providers and health plans; and
- protect individuals’ health information privacy interests.
At the same time, however, health IT compliance experts point out another layer to the updated rule’s projected impact. In today’s healthcare environment, new and evolving technologies don’t always fit neatly within HIPAA’s domain — which means you should think through how to handle certain scenarios. Here’s a look at three such areas and their potential effect in practical terms.
Personal health apps
A covered-entity hospital fulfills an individual’s request to transmit electronically protected health information (ePHI) to an app used by the individual. What would happen if the app designated to receive the ePHI later experiences a data breach?
The answer depends on the relationship between the covered entity and the app, according to HHS. Suppose the app chosen by the individual to receive the requested ePHI was not provided by or on behalf of the hospital (i.e., the app is neither a covered entity nor a business associate). In that case, the information is no longer subject to HIPAA protections. The hospital would not be liable for any subsequent use or disclosure of the requested ePHI received by the app.
On the other hand, an app developed for or provided on behalf of the hospital would create a business associate relationship between the hospital and the app developer. In such a case, the hospital could be liable under HIPAA if the app impermissibly discloses the ePHI.
Related, under HIPAA provisions for individuals’ right of access, a patient may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. The patient should be advised that the hospital would not be responsible for unauthorized access to the ePHI while in transmission to the app.
Healthcare entities’ use of artificial intelligence (AI) may trigger HIPAA implications in generating identifiable patient data. Covered entities should protect themselves by de-identifying patient data before uploading it into an AI database. This entails the removal of identifiers in compliance with applicable standards. Further, it’s important to note that AI product developers may add data elements to their systems over time to address potential algorithmic bias. IT executives should continually assess the risk that AI systems are creating identifiable data linkages that did not previously exist.
Tens of millions of people regularly use wearable devices that collect or generate health information. Unlike patient-level data held and managed by healthcare entities and their business associates, “health-relevant” data gathered by wearable vendors is not protected under HIPAA. Wearable companies can use consumer health data for product development, or they may even sell it outright to third parties. Hospitals and health systems should inform wearable users about potential non-HIPAA-covered use of their data.
When HHS issues its final rule, covered entities will need to act by revising current HIPAA policies and procedures, retraining employees on relevant changes, and working with patients to ensure they understand how their data may be used.
Frank Irving is a Philadelphia-based content writer and communications consultant specializing in healthcare, technology and sports.